Re: [104attendees] Side-meeting: Canonical JSON, Signed REST
Bret Jordan <jordan2175@gmail.com> Wed, 27 March 2019 12:40 UTC
Return-Path: <jordan2175@gmail.com>
X-Original-To: 104attendees@ietfa.amsl.com
Delivered-To: 104attendees@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4761202AD for <104attendees@ietfa.amsl.com>; Wed, 27 Mar 2019 05:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.747
X-Spam-Level:
X-Spam-Status: No, score=-1.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdJ5IuSky0ef for <104attendees@ietfa.amsl.com>; Wed, 27 Mar 2019 05:40:29 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FBD81202AA for <104attendees@ietf.org>; Wed, 27 Mar 2019 05:40:29 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id r4so10702258wrq.8 for <104attendees@ietf.org>; Wed, 27 Mar 2019 05:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=F/YYoMs8owcAHl/OfQVjXWEpoojTtuLIligPV4THXaE=; b=ckNHO9rcLeTIzDpNy2qLB6o4MUV+BW4rAiHoYmRHC8AmCx4F0dOAP7VmmFl7PuY8Ur MqL0zW7I/I5hWhcwd+rfWQcICG1XYX4s4WdNo0+e2Wlt50atGIjDhbVUFdn2Gvuux0w3 VYexmENIzKrJygPAYNukaFhrerZeBWji0m5pxAHQjiMgS1MQQoefUySPEqAT/rkae866 4nEaSrcbjr/YyaXKrhZ3oTrwJjA6c1MGBXy/3tF5ZJDtvtvzK/BoWBaSdsiijY32lONi q5QumZeV2zSW3OYuyYZmt8ZT3j44YD6WjXr0ABf2SANXTZPgevvqHNl6q4iHc66LYbK6 kFpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=F/YYoMs8owcAHl/OfQVjXWEpoojTtuLIligPV4THXaE=; b=LVUydK/cQn/hMPqpqsKgaprs2nlXvEl/kwd8wLXVMX5DeAtmXQaXlYcYu3/12ta8V4 BiOTfrnGEg8ISUFI1WbrHDqX4Nx+kGlb+0T5FcdrfzMoSxUw94MyXsBWDq+WWEm2rfOG 89Y2J/JPAA3LXrVhzUKIcFg3t2tnpepSbJWrnzwFS8pEJ5w+6/Gca9ywaWINQ6r5JYfV WRibCRaezlUEFRaAprZ0YRBFe/trfOWk5UrcogLyHJfXO5XpSyoUPWC+I8JcVH+TXT/N oIb0KlybCWt1g0esRJ0K7QDJydSvGf/pWeytn/uk85qX55WUZtZqqD9ED1lyEocU8Jfw lHhQ==
X-Gm-Message-State: APjAAAVmK7yfaT53FWynGS/ssXlHE0DJdDBHNlg6/BCsmbdmyCzTHa4h l2GHBjXoqWxoWn3/EgbVzZ3xX7P19q4=
X-Google-Smtp-Source: APXvYqza6jimN4X6kLDjTqxIgV+COwJIqQhR+3oZ1aTTXPMINsO5ivXIBdeWEy0w8JoBpoRlAcS2Ng==
X-Received: by 2002:adf:e506:: with SMTP id j6mr15517588wrm.41.1553690426810; Wed, 27 Mar 2019 05:40:26 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:c1e1:e2a6:12d6:b434? ([2001:67c:370:128:c1e1:e2a6:12d6:b434]) by smtp.gmail.com with ESMTPSA id b11sm2730148wru.61.2019.03.27.05.40.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2019 05:40:25 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-4D5EFA18-398D-486A-9543-9D11C7C2AB96"
Mime-Version: 1.0 (1.0)
From: Bret Jordan <jordan2175@gmail.com>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <4944d01f-4565-9688-8833-1c8b287c6ae0@gmail.com>
Date: Wed, 27 Mar 2019 13:40:25 +0100
Cc: 104Attendees <104attendees@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <3A80B754-B16C-44CF-B83C-3670864CFA81@gmail.com>
References: <4944d01f-4565-9688-8833-1c8b287c6ae0@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/104attendees/259f_CCRGK5hXAfiWH_eNc6uxto>
Subject: Re: [104attendees] Side-meeting: Canonical JSON, Signed REST
X-BeenThere: 104attendees@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list of all 104 attendees for official communication <104attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/104attendees>, <mailto:104attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/104attendees/>
List-Post: <mailto:104attendees@ietf.org>
List-Help: <mailto:104attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/104attendees>, <mailto:104attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 12:40:31 -0000
I am going to try and attend this side meeting, but I will probably be late (so many things going on). I do fully support this JCS effort and think it is critical for us to do. Bret Sent from my Commodore 128D PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > On Mar 27, 2019, at 6:52 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > > Wednesday 14-15 in Paris. > > My presentations at IETF-104 couldn't go into details, so here some additional facts and motivations. > > The lack of canonicalized JSON have had quite practical implications in IETF security protocols like in this one: > > https://tools.ietf.org/html/draft-ietf-teep-opentrustprotocol-02 > > "The top element "<name>[Signed][Request|Response]" cannot be fully > trusted to match the content because it doesn't participate in the > signature generation. However, a recipient can always match it with > the value associated with the property "payload". It purely serves > to provide a quick reference for reading and method invocation" > > That is, the TEEP folks were forced adding a redundant (and IMO pretty ugly) JSON layer in order to tag objects since the JWS signature scheme dresses the payload in Base64Url. This scheme also introduces an additional validation step. > > This is sort of the opposite to my own work in this space, where canonicalization is also applied to the JWS container itself (aka clear text signatures). Here an example from "Saturn": > > { > "requestHash": { > "alg": "S256", > "val": "cA-QNdJHcynjuM44ty-zXgXwx100AZVRFLmYx1So0Xc" > }, > "domainName": "demomerchant.com", > "paymentMethod": "https://bankdirect.net", > "accountId": "8645-7800239403", > "timeStamp": "2019-03-23T10:33:02+01:00", > "signature": { > "alg": "ES256", > "jwk": { > "kty": "EC", > "crv": "P-256", > "x": "rQ4WXMB6_wQKHSiY_mbJ4QkGpfWLssF7hvIiiFpDEx8", > "y": "Fh2rl0LGTtvaomOuhuRNo9Drz9o0--WXV2ITvdVQFRY" > }, > "val": "j2LL9pr2RyrPxvFlj8IzMhno5vvgGIgf2xi23dA5u_XwjYlIvT9qwIVKaCKYwjb26J5mMUL5zV02lqQGjZRClw" > } > } > > Recent proposal addressing Signed/JSON/REST since this apparently still is missing: > https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00 > https://datatracker.ietf.org/meeting/104/materials/slides-104-hotrfc-3-signed-http-requests-shreq-00 > > Bring your rotten tomatoes if you want :-) > > Cheers, > Anders > > -- > 104attendees mailing list > 104attendees@ietf.org > https://www.ietf.org/mailman/listinfo/104attendees
- [104attendees] Side-meeting: Canonical JSON, Sign… Anders Rundgren
- Re: [104attendees] Side-meeting: Canonical JSON, … Bret Jordan